So these are more or less notes for myself, I am starting study for the CCNA Voice exam and will be posting notes here as typing and reading are just two ways to reinforce the knowledge.
Loop start signaling – Is a process in which the end point connects the tip / ring connections together to complete the circuit.
Ground start signaling – A process in which a ground signal is sent to the CO to signal that an outgoing call is going to proceed. Typically used in a PBX.
Glare – When an end user picks up the phone at the same time as an incoming call, occurs with the use of loop start signaling.
Dual-tone multifrequency (DTMF) – The keys on the phone generates two tones a high and a low frequency. AKA tone dialing verses pulse.
Pulse dialing – a process in which the phone quickly connects and disconnects the local loop circuit wires, sending a series of “pulses” to the CO to designate what number is being pressed.
Pulse-amplitude modulation (PAM) – The process of sampling an analog waveform many times to determine numeric electric amplitude values. AKA the sampling process.
Quantization – Assigning numeric values to analog signals so they can be transported over a digital network.
Pulse-code modulation – The process in which the sample (PAM) value is converted into an 8-bit, binary number.
Time-division multiplexing (TDM) – By sending data in specific time slots multiple channels of voice or data can be sent over a single connection.
Channel associated signaling (CAS) – a T1 signaling type that uses a bit from each DS0 channel to send signaling information back to the CO. Also known as Robbed Bit Signaling.
Common channel signaling (CCS) – a T1 signaling type that uses a dedicated DS0 to send signaling information back to the CO.
Robbed Bit Signaling (RBS) – See CAS steals 8th bit on every 6th frame.
Super Frame SF – Sends groups of 12 T1 frames at a time. All bits are used for synchronizing the near and far end T1 equipment.
Extended Super Frame (ESF) – Sends groups of 24 T1 frames at a time. Of the 8000 bits per second 2000 are for synchronization, 2000 for error checking and 4000 for a supervisor channel which is capable of sending control functions and error reporting.
Q.931 – ISDN CSS signaling type.
Local loop – Link between customer premises and the telco provider.
Private Branch Exchange (PBX) – customer equipment that allows them to run a private voice network.
Key system – Allows a company to run a private voice network. Usually smaller than a PBX and provides a shared line appearance. (Some new key systems may provide unique extensions like a PBX)
Signaling System 7 (SS7) – A signaling type used in the telco network to provided inter-CO connectivity and call routing.
E.164 – The ITU standard for telephone numbers and used on the PSTN.
Tuesday, June 30, 2009
Tuesday, June 16, 2009
Lacerte Tax 2008 in Restricted User Environment
Those of you that have had the misfortune to have to work in IT and support Lacerte Tax know the pain that it causes. Not only is it written poorly from a Server – client standpoint but also as an application in general. However after much swearing and frustration I have figured out the security rights to grant so that you can keep a user at user level, and still be able to run Lacerte.
1. Install Lacerte from the network as an administrator on the machine. Make sure it works.
2. Open Windows Explorer and go to the C: drive.
3. Right Click the Lacerte folder and select properties.
4. Go to the Security Tab and select Users.
5. Grant them modify rights click apply and ok.
6. Go to C:\Windows you will want to grant users modify rights on the following files: W08Tax.ini, Lacerte.ini, WTAXSYNC.ini.
Please note for each year of Lacerte installed there should be a corresponding W(Year)Tax.ini file.
7. Go to Start > Run > Regedit.
8. Browse to HKLM > Software > Intuit
9. Right click the Intuit key and select Permissions.
10. Grant users Full Control over the key, click ok.
11. Right click the Lacerte key and select Permissions.
12. Grant users Full Control over the key, click ok.
*Note* Your domain users will need modify rights over the network locations where the Lacerte data is held as well.
That should do it, you should now be able to run Lacerte as a regular limited user without having to give up the keys to kingdom.
To Lacerte all I have to say is FIRE YOUR PROGRAMMERS. The amount you charge your customer base per year for your software and the lack of writing it for an enterprise environment is unforgivable. Your product is a pile of crap. I’d be more than happy to give you some ideas on how to improve it but something tells me I won’t hear from you.
1. Install Lacerte from the network as an administrator on the machine. Make sure it works.
2. Open Windows Explorer and go to the C: drive.
3. Right Click the Lacerte folder and select properties.
4. Go to the Security Tab and select Users.
5. Grant them modify rights click apply and ok.
6. Go to C:\Windows you will want to grant users modify rights on the following files: W08Tax.ini, Lacerte.ini, WTAXSYNC.ini.
Please note for each year of Lacerte installed there should be a corresponding W(Year)Tax.ini file.
7. Go to Start > Run > Regedit.
8. Browse to HKLM > Software > Intuit
9. Right click the Intuit key and select Permissions.
10. Grant users Full Control over the key, click ok.
11. Right click the Lacerte key and select Permissions.
12. Grant users Full Control over the key, click ok.
*Note* Your domain users will need modify rights over the network locations where the Lacerte data is held as well.
That should do it, you should now be able to run Lacerte as a regular limited user without having to give up the keys to kingdom.
To Lacerte all I have to say is FIRE YOUR PROGRAMMERS. The amount you charge your customer base per year for your software and the lack of writing it for an enterprise environment is unforgivable. Your product is a pile of crap. I’d be more than happy to give you some ideas on how to improve it but something tells me I won’t hear from you.
Friday, June 12, 2009
Applying CUCM Patches to CUCM 6.1
As we all know all software is broken from the day it ships. CUCM is no exception (Cisco Systems please don’t sue me I’m just stating a fact about bugs) so like all things there are patches. This will go over the process of getting the Patches and applying them to your CUCM server. You must have a valid CCO account and support agreement to legally follow this document.
Download the Update
1. Login to Cisco CCO.
2. Go to Support > Download Software *subject to change*
3. Voice and Unified Communications Software.
4. Use the new software delivery system.
5. Expand IP Telephony > Call Control > Cisco Unified Communication Manager (CallManager).
6. Click on Cisco Unified Communications Manager Version 6.1.
7. Click on Unified Communications Manager Updates.
8. In this case I’m going to select the latest release of 6.1(3b)SU1.
*WARNING* Now if you read the readme for 6.1(3b)SU1 which I highly recommend for all upgrades. You will notice that the upgrade path to 6.1(3b)SU1 is from 6.1.3x platform only. So if you are running 6.1.1 you will need to find the next upgrade before you can apply this one.
9. Go ahead and download the ISO file. I would recommend verifying the MD5 checksum to make sure there was no error in download. And Burn the disc.
Google md5sums it’s simple and allows you to drag and drop a file on it and it will calculate the MD5 hash for comparison on Cisco’s website.
Apply the Patch
1. On your CUCM server go to Cisco Unified OS Administration.
2. Go to Software Upgrades > Install/Upgrade.
3. We will be using the DVD/CD option that you burned. By the way it might be a good time to put this disc in the drive of the server you’re patching.
4. In Directory just put a / as the patches are on the root of the file system for the disc.
5. Click Next
6. It should now show the version available to upgrade. You can also select if you would like it to reboot the server once it is completed.
7. Click Next
8. You can now monitor the progress. Be advised this can take an hour + to complete. On my test CUCM server in a VM it took an hour and a half to patch with zero items in the DB. The more you have in your CMDB the longer this will take.
Kick back and watch the text scroll by. If all is well once this completes your server should restart and should reflect the new version on the logon page. This may also install new firmware for your phones so be advised they will all start updating as well. I would recommend blocking out a large segment of time for this upgrade depending on the size of your install.
Download the Update
1. Login to Cisco CCO.
2. Go to Support > Download Software *subject to change*
3. Voice and Unified Communications Software.
4. Use the new software delivery system.
5. Expand IP Telephony > Call Control > Cisco Unified Communication Manager (CallManager).
6. Click on Cisco Unified Communications Manager Version 6.1.
7. Click on Unified Communications Manager Updates.
8. In this case I’m going to select the latest release of 6.1(3b)SU1.
*WARNING* Now if you read the readme for 6.1(3b)SU1 which I highly recommend for all upgrades. You will notice that the upgrade path to 6.1(3b)SU1 is from 6.1.3x platform only. So if you are running 6.1.1 you will need to find the next upgrade before you can apply this one.
9. Go ahead and download the ISO file. I would recommend verifying the MD5 checksum to make sure there was no error in download. And Burn the disc.
Google md5sums it’s simple and allows you to drag and drop a file on it and it will calculate the MD5 hash for comparison on Cisco’s website.
Apply the Patch
1. On your CUCM server go to Cisco Unified OS Administration.
2. Go to Software Upgrades > Install/Upgrade.
3. We will be using the DVD/CD option that you burned. By the way it might be a good time to put this disc in the drive of the server you’re patching.
4. In Directory just put a / as the patches are on the root of the file system for the disc.
5. Click Next
6. It should now show the version available to upgrade. You can also select if you would like it to reboot the server once it is completed.
7. Click Next
8. You can now monitor the progress. Be advised this can take an hour + to complete. On my test CUCM server in a VM it took an hour and a half to patch with zero items in the DB. The more you have in your CMDB the longer this will take.
Kick back and watch the text scroll by. If all is well once this completes your server should restart and should reflect the new version on the logon page. This may also install new firmware for your phones so be advised they will all start updating as well. I would recommend blocking out a large segment of time for this upgrade depending on the size of your install.
Thursday, June 11, 2009
Implementing Extension Mobility
So a feature we have decided to implement with our upgrade for all of our phone users is extension mobility. What extension mobility allows a person to do is hit services on the phone entire their username and a pin and then that phone pulls all of their information from the CUCM cluster and becomes their extension. This means they no longer have to take their phones with them when they move desks, merely sit down enter their info and bam the phone is theirs.
There are a few steps to accomplish this task. We must first enable the service. Tweak a setting in the service parameters. Setup the extension mobility service. Create the virtual phone device profiles. In reality they are just device profiles but I find calling them virtual phone device profiles helps with the understanding of what they really are. And finally subscribe physical and virtual phones along with end users to the service and profiles.
With the explanation out of the way let’s get started. Wait, wait, there is one more point to bring up. We have a choice to make or namely you have a choice to make.
There are two ways to implement extension mobility. You can do it on a per user basis so everyone has a normal configured phone. But a few select people say VP, C level people have the mobility feature. This is how we did it at my last employer. The other option the one we are going with here is no one specifically has a phone assigned to them. Everyone will get an extension mobility profile and then log into their phone wherever they are sitting. The advantage for us is with all the office moves changes etc, no one will have to wait for IT to either re-program or move their phone. The configuration however is the same it’s just a matter of will you be making a handful of extension mobility profiles or a lot. And will you be associating physical phones to people or not. (Hint the bulk editor is your friend.)
There are a few steps to accomplish this task. We must first enable the service. Tweak a setting in the service parameters. Setup the extension mobility service. Create the virtual phone device profiles. In reality they are just device profiles but I find calling them virtual phone device profiles helps with the understanding of what they really are. And finally subscribe physical and virtual phones along with end users to the service and profiles.
With the explanation out of the way let’s get started. Wait, wait, there is one more point to bring up. We have a choice to make or namely you have a choice to make.
There are two ways to implement extension mobility. You can do it on a per user basis so everyone has a normal configured phone. But a few select people say VP, C level people have the mobility feature. This is how we did it at my last employer. The other option the one we are going with here is no one specifically has a phone assigned to them. Everyone will get an extension mobility profile and then log into their phone wherever they are sitting. The advantage for us is with all the office moves changes etc, no one will have to wait for IT to either re-program or move their phone. The configuration however is the same it’s just a matter of will you be making a handful of extension mobility profiles or a lot. And will you be associating physical phones to people or not. (Hint the bulk editor is your friend.)
Enable Extension Mobility
1. Go to Cisco Unified Serviceability.
2. Tools > Service Activation.
3. Put a check in the Cisco Extension Mobility box and click save.
Adjust Service Parameters
1. Go to Cisco Unified CM Administration.
2. System > Service Parameters
3. Select your server from the drop down list. If you have a cluster, select your publisher.
4. Select Cisco Extension Mobility (Active)
5. Under Multiple Login Behavior change this from Multiple Logins Not Allowed to Auto Logout. This way should a user forget to logout and want to login somewhere else they will be automatically logged out on the other phone.
6. Click Save.
Create Extension Mobility Service
1. Go to Device > Device Settings > Phone Services.
2. Click Add New.
3. Service Name = Extension Mobility
4. ASCII Service Name = What you want to display on phone. I used Extension Mobility.
5. Service Description = What you want explaining the service in CUCM. I again used Extension Mobility.
6. Service URL = http://(IP of CallManager):8080/emapp/EMAppServlet?device=#DEVICENAME#
7. Click Save.
Create Device Profile
1. Go to Device > Device Settings > Device Profile.
2. Click Add New.
3. Select the phone model that this user will be using and click next.
You notice this looks like a stripped down version of the phone template.
4. Fill out the fields as applicable. Under device profile name make sure you note the users name or login for future identification as this will be their phone for all extensive purposes.
5. Click Save.
You should now be at a screen remarkably familiar to a phone configuration. This again is why I call them virtual device profiles. We are programming a phone it’s just associated to a user instead of a MAC address.
6. Click on Line one and add your DN as your normally would.
7. Click Save once you are done adding your DN.
We have now created the virtual phone profile AKA Device Profile. Now we need to associate it to our user and subscribe the service to the phone and user.
Subscribe Phones and End Users to Extension Mobility Service
1. Go to Device > Phone.
2. Pick a phone you want to work with.
3. Scroll down to the Extension Information section.
4. Check the Enable Extension Mobility box.
5. Click Save.
6. Go to User Management > End User
7. Pick a user you want to work with.
8. In the Extension Mobility section select the device profile you created for this user. Move it down into the Controlled Profiles.
We have the user now associated to his profile. Now we must subscribe both the physical and virtual phone to the extension mobility service. This may seem confusing as we already enabled it. Correct we enabled the service on the phone and user but we didn’t give an entry point to the user to get to the service. That is what subscribing is for. This will enable the service to show up when the user hits the services button on their phone.
9. Go to Device > Phone.
10. Select your phone you’re working with.
11. In the related links drop down select Subscribe/Unsubscribe Services.
12. In the Select a Service drop down select Extension Mobility. This is the service we created earlier.
13. Click Next.
14. If you wanted to change the display name you could here but the defaults we setup should be fine. Click Subscribe.
15. Close this window.
Now you might think I’m done but you’d be wrong. Sure now you could go over to the phone and login as that user no problem. Now try to log out. What is that you say? You go to services and there aren’t any. Well of course not their virtual phone AKA Device Profile hasn’t been subscribed to the Extension Mobility service. Let’s fix that.
16. Go to Device > Device Settings > Device Profile.
17. Select the Device Profile you’re working with.
18. Under related links select Subscribe/Unsubscribe Services.
19. Run through the process of adding the Extension Mobility service same as we did for the physical phone.
That’s all there is to it. You should now be able to hit services on the phone when it’s in its blank state use your username and PIN. The phone should do a quick reset and bam it’s now that user. Now you just need to make umpteen however many device profiles for people.
Wednesday, June 10, 2009
Configure Cisco Unified Communications Manager (CUCM) to Authenticate End Users against Active Directory
A project you will be seeing many posts from. At work we are working to upgrade our Cisco Call manager from 4.1 to 6.1. This is a task I have done before however now with more focus and a little less hectic of a career I am going to take the opportunity to document the process.
We are compiling a list of wants and needs for the upgrade. One feature we are playing with in development right now is LDAP integration. This will allow us to target a few specific OU (Organizational Units) in Active Directory for our region which our CUCM 6.1 servers will be supporting. This way we don’t end up with all 20k+ users in our CUCM database.
1. Make sure the Cisco DirSync service has been activated. Without this you’ll find all the settings in the world will yield you no users synchronized to the CMDB.
a) Go to Cisco Unified Serviceability.
b) Check Cisco DirSync and save.
c) Go back to Cisco Unified CM Administration.
2. Go to the System Tab > LDAP > LDAP System Configuration.
3. Put a check in the Enable Synchronizing from LDAP Server box.
a) Select the appropriate LDAP Server Type and Attribute type. In our case the Type is Microsoft Active Directory and sAMAccountName is the User ID field
b) Click save.
4. Go to the System Tab > LDAP > LDAP Directory. This is where we will configure the DNs to search for user synchronization from Active Directory.
5. Click Add new.
6. Fill in the fields as follows.
a) LDAP Configuration Name = A logical name you give to this directory.
b) LDAP Manager Distinguished Name = An AD account with read rights to AD. I recommend creating a service account for this purpose.
c) LDAP Password = Password for that AD account.
d) Confirm Password = If I have to explain stop now.
e) LDAP User Search Base = This is the LDAP DN for where you want CUCM to search for users. The easiest way to find this is to get LDP.exe from Microsoft and take the following steps.
i. Launch LDP.exe
ii. Click Connection > Connect. Leave the box blank and it will bind to your current AD domain assuming the machine you are using is in the Forest / Domain you want CUCM to reference. Click ok.
iii. Click Connection > Bind. You should be able to use the default of the currently logged in user. In most organizations all users have read rights to AD.
iv. Click View > Tree. The BaseDN would be the simplest form of your domain so blah.net. Click Ok.
v. You should now have a tree on the left hand side and should be able to browse to the OU containing the users you want CUCM to add to the database for you.
vi. Once you locate the OU right click it and click Copy DN. This will copy the full DN making for simple copy and paste delight over in CUCM.
f) Paste the DN into the LDAP User Search Base.
7. Setup your schedule for how often you want CUCM to sync from Active Directory. Dependent on changes made per day this could be once a day up to every couple hours if a lot of changes are made. Biggest thing to avoid would be large syncs during business hours as this may put additional load on the CUCM cluster.
8. Setup what fields you want to map. In our case the defaults were fine.
9. Finally put in the DNS or IP address of your Domain Controller. As to if it’s using point 389 or the SSL port is between you and your AD team. I highly recommend adding redundant Domain Controllers this way should the first fail the CUCM server will still be able to perform scheduled syncs.
10. Click Perform Full Sync Now to kick off the first sync it may take a while however you should eventually see people show up under User Management > End Users.
11. Ok so now we have people in the directory right? Well now we need to tell CUCM to use the LDAP server (Active Directory) to authenticate them.
12. Go to System > LDAP > LDAP Authentication.
13. Check the Use LDAP Authentication for End Users box.
14. In the LDAP Manager Distinguished Name field this again is our service account to read against AD.
15. In the LDAP Password field put the password of said service account.
16. Confirm Password again if I have to explain I don’t know how you even got this far.
17. LDAP User Search Base. This is a little different instead of specifying all the way down the OU level for our LDAP DN we will want to specify the root of the forest. This way any valid user regardless of if they get moved should be able to authenticate. e.g DC=company,DC=net
18. Next fill in the same domain controllers and settings you used for the previous step. Again I stress resiliency here is your friend, unless you like having to work weekends and nights then by all means shun fault tolerance.
19. Click save.
Time to give it a spin. Go to the IP address of your CUCM server / ccmuser. e.g. https://10.20.6.157/ccmuser/ You should be able to login with your AD username and password.
So hopefully you are able to login. Now the unfun part. Each end user needs to be associated to a device so that they can take full advantage of this. I will follow up with another document on how to bulk make these associations unless you want the pain of matching people up to phones.
We are compiling a list of wants and needs for the upgrade. One feature we are playing with in development right now is LDAP integration. This will allow us to target a few specific OU (Organizational Units) in Active Directory for our region which our CUCM 6.1 servers will be supporting. This way we don’t end up with all 20k+ users in our CUCM database.
1. Make sure the Cisco DirSync service has been activated. Without this you’ll find all the settings in the world will yield you no users synchronized to the CMDB.
a) Go to Cisco Unified Serviceability.
b) Check Cisco DirSync and save.
c) Go back to Cisco Unified CM Administration.
2. Go to the System Tab > LDAP > LDAP System Configuration.
3. Put a check in the Enable Synchronizing from LDAP Server box.
a) Select the appropriate LDAP Server Type and Attribute type. In our case the Type is Microsoft Active Directory and sAMAccountName is the User ID field
b) Click save.
4. Go to the System Tab > LDAP > LDAP Directory. This is where we will configure the DNs to search for user synchronization from Active Directory.
5. Click Add new.
6. Fill in the fields as follows.
a) LDAP Configuration Name = A logical name you give to this directory.
b) LDAP Manager Distinguished Name = An AD account with read rights to AD. I recommend creating a service account for this purpose.
c) LDAP Password = Password for that AD account.
d) Confirm Password = If I have to explain stop now.
e) LDAP User Search Base = This is the LDAP DN for where you want CUCM to search for users. The easiest way to find this is to get LDP.exe from Microsoft and take the following steps.
i. Launch LDP.exe
ii. Click Connection > Connect. Leave the box blank and it will bind to your current AD domain assuming the machine you are using is in the Forest / Domain you want CUCM to reference. Click ok.
iii. Click Connection > Bind. You should be able to use the default of the currently logged in user. In most organizations all users have read rights to AD.
iv. Click View > Tree. The BaseDN would be the simplest form of your domain so blah.net. Click Ok.
v. You should now have a tree on the left hand side and should be able to browse to the OU containing the users you want CUCM to add to the database for you.
vi. Once you locate the OU right click it and click Copy DN. This will copy the full DN making for simple copy and paste delight over in CUCM.
f) Paste the DN into the LDAP User Search Base.
7. Setup your schedule for how often you want CUCM to sync from Active Directory. Dependent on changes made per day this could be once a day up to every couple hours if a lot of changes are made. Biggest thing to avoid would be large syncs during business hours as this may put additional load on the CUCM cluster.
8. Setup what fields you want to map. In our case the defaults were fine.
9. Finally put in the DNS or IP address of your Domain Controller. As to if it’s using point 389 or the SSL port is between you and your AD team. I highly recommend adding redundant Domain Controllers this way should the first fail the CUCM server will still be able to perform scheduled syncs.
10. Click Perform Full Sync Now to kick off the first sync it may take a while however you should eventually see people show up under User Management > End Users.
11. Ok so now we have people in the directory right? Well now we need to tell CUCM to use the LDAP server (Active Directory) to authenticate them.
12. Go to System > LDAP > LDAP Authentication.
13. Check the Use LDAP Authentication for End Users box.
14. In the LDAP Manager Distinguished Name field this again is our service account to read against AD.
15. In the LDAP Password field put the password of said service account.
16. Confirm Password again if I have to explain I don’t know how you even got this far.
17. LDAP User Search Base. This is a little different instead of specifying all the way down the OU level for our LDAP DN we will want to specify the root of the forest. This way any valid user regardless of if they get moved should be able to authenticate. e.g DC=company,DC=net
18. Next fill in the same domain controllers and settings you used for the previous step. Again I stress resiliency here is your friend, unless you like having to work weekends and nights then by all means shun fault tolerance.
19. Click save.
Time to give it a spin. Go to the IP address of your CUCM server / ccmuser. e.g. https://10.20.6.157/ccmuser/ You should be able to login with your AD username and password.
So hopefully you are able to login. Now the unfun part. Each end user needs to be associated to a device so that they can take full advantage of this. I will follow up with another document on how to bulk make these associations unless you want the pain of matching people up to phones.
Monday, June 8, 2009
Cisco AnyConnect versus Cisco VPN Client (IPSEC)
Below is a small list I created for a project at work, compairing the newer Cisco AnyConnect SSL client to the older Cisco IPSEC VPN Client.
*Bolded result deemed positive feature.*
AnyConnect | IPSEC VPN Client | |
Support for 64bit windows. | Yes | No |
Connect before logon support for Windows Vista. | Yes | No |
Requires PKI framework. | Yes | No* If client side certificates are not used. |
Functions in locked down network environment, Web Proxy, Port Blocking etc. | Yes | No |
Supports High Encryption AES-256 for example. | Yes | Yes |
Ease of administration by distributing software / profile updates from the head end security appliance. | Yes | No |
Designed for latency-sensitive traffic. | Yes | No |
RADIUS Authentication support | Yes | Yes |
Can be implemented in tandem with IPSEC infrastructure. | Yes | Yes |
Vulnerable to man in the middle attack. | Yes | No |
Vulnerable to MD5 SSL exploit. | Yes | No |
Able to function in extreme latency / low bandwidth circumstances. e.g. Satellite | Yes | No |
*Bolded result deemed positive feature.*
Subscribe to:
Posts (Atom)